tv Washington This Week CSPAN December 22, 2013 1:00am-1:21am EST
pet food. this is the reality that we live in today. this is what i wanted to talk to about. i want to give you batting good news. the bad news is that we live in a world with exploding complexity of online tracking. i have a team of students at princeton that i'm working with where i am a professor and we are reverse engineering the companies are doing online in terms of tracking us and our personal data. i want to give you good news. you have a lot of power in the situation. there are a lot of things you can do and i want to share that with you as well. what i want to talk about pacific league when i talk about online tracking is what i call online tracking which i considered the most insidious form of online tracking. it is where sites other than the ones you are visiting that are typically invisible are
collecting profiles as you are browsing. you might wonder how does this happen? let me show you a screenshot -- this is from a study at stanford of online tracking. this is from the new york times and you can see in the picture how many areas are highlighted in red and these are all content that are being served by sites other than the new york times. when this happens your browser connects to other sites that are concealed in all of these other sites now know you have visited the new york times and whatever other site you visited and that is how they compile information on you. one study revealed there are 64 independent tracking mechanisms on one website. just to drive home this point of how subtle these trackers can be, let me show you a screenshot let me show you what these
third-party trackers could be. it could be well-known companies. it could be companies that you probably have never heard of. there was one track at that we found in our database which is very prominent. you probably visited this site and they remember you because they are in the business of remembering you. here is a screenshot of the national health service and you are looking at their syphilis page. a lot of information -- good information. there was a facebook like button on their and five people have clicked it. [laughter] the scary part is that not i table but -- like it, the people who visited was not aware there was a facebook tracker on this page and that facebook is watching what they browse
online. facebook has your identity and knows who you are because you have left your browser locked into facebook like most of us do. if that does not convince you there are some invisible trackers, let me summarize why one may want to worry about this online tracking. there is basically our intellectual privacy because people behave differently when they know there are hundreds of people watching what you do. that is a freedom to protect. there is behavioral profiling and targeting. that is the level of targeting and profiling that this data can reveal about you. there is also polluting area evidence that browsing can be used for price dissemination. you might be the type of person that does not care about this and you only being safe from the government. tell me about the nsa. i have news for you.
in the recent nsa leaks, it was revealed that one of the things they're using to track you is double-click tracking cookies. these third-party companies are doing nsa's work for them. scary stuff. i have been working -- researching the online space for four years now. let me share with you some of the things i have found that with what works and what does not work in how you can protect yourself. one piece of good news is that something that does work is public opinion. this might seem logical that a lot of these companies really care if there is a privacy backlash. there have been many incidents because there was a backlash. you might remember google buzz. let me give you an example that is closely related to third- party online tracking. there was this feature called facebook instant personalization. i consider this the most
riotously privacy intrusive. facebook talk silently in the background and they tell you who you are and various things about you like your location and various movies that you like. many experts complained about this. organizations who we have heard about several times already picked up this. because of that, facebook limited to a very literary rollout and not happening today. the internet could be a worse place for privacy if this was allowed to happen. we are living in the reality of facebook. that is one piece of good news. on the other hand, here is something that does not work. efforts for privacy advocates to sit down at the table do not seem to have worked. when they tell me the story of
do not track. i am one of the research behind the do not track proposal. they are saying, if you're worried about tracking, we are ok with that because we believe most people will be convinced of the advantages of it. let's make a browser setting so that the browser can help you. browser vendors got on board with this. it is on every browser today. that is called the do not track. what happened? there was two years of constant negotiations and what tracking companies are obligated to do and not obligated to do. everybody has finally agreed that these negotiations are going nowhere. this idea of being on the same
page and talking about it together, that has not worked out. i would say that for do not track, it is time to move on. we are in a world where the interests of the tracking companies in the interests of consumers are misaligned. i am ok with that. we tried but it did not work. i want to tell you there was a bunch of these blocking tools from eye tracking and these blocking tools work really well. adblock plus is an example of what i use. there are more. these are typically browser add- ons. when i tell people about blocking tools, one of the things they say is, this is not a good solution for me because there are new privacy intrusions all the time so i have to go and change the settings again or have to install another blocking
tool. here is my answer to that. i do not necessarily on top of all the privacy intrusions that are going on. there are a lot of organizations that are in the business of staying on top of this and telling you about them. there is a privacy company that i like. there are others. one of the things you could do that is very powerful is just get on the twitter feed of these organizations that are in the business of always knowing whenever there is a new privacy intrusion and telling you in very simple steps what you have to install. that is a method that can work for most people. to put it differently, the price of online privacy is vigilance. but we have today is that this eternal vigilance is a problem that can be solved by technology.
people give up when they hear you have to keep changing your privacy settings all the time. i have been doing that and teaching people to do that and that is not hard. all you have to do is set aside an hour or two per month to stay on top of this. that is an easy tool everybody can use. in my years of researching, there is one other point that is come out which has been people get into an arms race. if it is an arms race, bring it on. the balance of power is with consumers. this is because of the legal nuance. safari had a feature to block third-party cookies. google, in one of the tracking features, try to circumvent this
tracking protection. an independent researcher found this out, who i am going to show you in a second, because of that the federal trade commission was able to step in and said this was a circumvention of the existing privacy tool. google was given a large fine. if he gets into an arms race, there are legal mechanisms to protect us such as the federal trade commission. go ahead, be comfortable in calling those privacy tools. a success story is that reverse engineering i independent researchers has helped a lot in revealing the state of online tracking. these are a couple of guys who have been heroes in this new wave of research. let me summarize the three takeaways that i have for you. the first one is to support
privacy groups because it is true these groups -- a lot of these tools are given news. the second one is going to be to voice her concerns to companies and regulators because we have seen that public opinion has been a powerful force for companies to change their privacy policies. the most important one is that these blocking tools really work. the only caveat here is you have to pick the right tools and stay updated. it involves effort. even though the price of privacy is eternal vigilance, that is not hard. get on twitter, follow some of these privacy newsfeeds. that will almost take care of the problem for you. you will feel like you're in control because you will find out about things as soon as they happen anyone know how to protect yourself. i will leave you with that thought. thank you for your time.
[applause] >> thank you so much. i use a few of those blocking tools on my different browsers and i have to say, yeah, they are impressive and how they work. last but not least, while google may be a household name, there is another search engine that most of you have not heard of. this is a search engine upper websites for devices that are connected to the internet. this search engine is basically scanning the internet for the ip addresses of various devices and enabling people to search and locate these devices. our next speaker is going to be talking about the research he does to determine network security logistics and to perform testing for his clients
using this search engine, among other things. he is here to share with us how we can use this information in empowering ways to carry out repetitive practices of our own. here he is the tell us about all of the rather amazing things that one can find just by searching the internet. thanks, dan. [applause] >> hello. i will be your ponytail for this evening. over the last two years, i have had this habit of finding things on the internet and displaying them in presenting them. this is a very short compilation of some of the things i have found on the internet. it is easy to find interesting stuff online if you know where to look.
you don't need special tools. you don't need special skills. you need a browser. a lot of stuff can be found by searching google, but even more so there is a search engine called showdown that is exposing to the internet versus a webpage. this is the front end of it. this is where you type your query. it is just like google essentially. it is to show you what is connected beyond web servers. you have to imagine the internet like america's freeway system. if you were to get out and look around, if you are a step out over an overpass, you could look inside every truck bed and convertible car. the internet is the same way. people are exposing things either willingly or unknowingly and anybody can look at the know where to look.
there are tons of internet cameras. i found 972,000 publicly accessible webcams. this happens to be in somebody's office. somebody put it on the internet. why? i have no idea. this is another system. this is a camera system i found on the internet. >> ok. too much. this is a hydrogen fuel cell. why someone would want to put that on the internet is beyond my comprehension but it is there and you can get to it if you want to. these things tend to be found at
the base of 4g cell phone towers. wind farms are connected to the internet. here is an interface or one, publicly accessible. it could be italian. some very large industrial system controlling something that looks like it could be under a lot of pressure publicly accessible to the internet. i can control the pumps. do not let me control the pumps. it is a bad idea. this is a private residence. this is a house. it is someone's home. this thermostat might look familiar. this is a thermostat system that i think is made by honeywell. is a popular controller to do this kind of thing. these are connected to the
internet as well and they have touch panels you can control using a vnc protocol over the internet. larger systems that could be in large buildings like this one, this is a system that controls the boiler room. this is contents under pressure situation where the system is publicly accessible online. you probably don't want nefarious people getting their hands on it. you have to ask yourself -- this system has been online for years and years. if a bad guy wanted to do bad stuff with it, why haven't they already? to take that a step further, some of today's other speakers have elaborated. you can start to confer things based on this information that you find and you can cross-link information to find more interesting things. this is a short little example of that. this is a camera system that i found somewhere in the united states that is using another
internet ash network phase -- network interface. i can control this over the internet using a browser. i can pan around and spy on the girl at the front desk and i can look around the room and a lobby. so i did. there is a cool tool you can put into chrome. it will tell you some small details about the website you are visiting, the the city is in, whether it is scary or not, it things like that. you can validate where this thing lives. in this case it is an newberry port, massachusetts. panning the camera over to the logo on the front door which laughably says security integrators. using that information and their city, i was able to find out on google where they are and this is as close as google maps would let me get to them.
this was done with a browser. i use nothing but google chrome to do this. no special tools, just playing on the internet. you can take it up a notch and do some simple social engineering. it is amazing when you can do and this was not me, but these were sent to me. it is amazing what you can do when you call a person working at a pizza place and say, we are watching you, you should do some stuff. i've been doing this talk for a while and based on what i've done, people on the internet have you some tools i released in one of them was inside of a pizza place. they call the place and you see the monitor on the far left is covered in brown paper. they told the girl that was something wrong with the computer and that in order to fix it they had to put brown paper around it and she had to
write "omg hax." massive cooling equipment could not be found on the internet. i never really worked on an industrial setting before but this is a building that has 15 youth average of coolers. this is the interface. it is publicly accessible. us talk about information linkage -- begins. this is a ui. if you can tell what the name of the guy is that at men's this when i am not doing it, i will give you one dollar. he even mailed me because my computer's name appeared in the list when i landed on this controller. things in the world around you are keeping track of and loosely logging places in not a lot of